Skip to main content


Objects are identifiers for some kind of application objects. They can represent for example a file, network port, physical item, ... . It's up to the application to map its objects to an unambiguous identifier. The limit on object identifiers is 64 characters. We recommend the usage of UUIDs as they provide a high entropy and thus unique identifiers. It's however possible to use for example URLs or opaque tokens of any kind. Please check the limitations. Ory Keto will consider objects equal iff their string representation is equal.

Basic example

In the basic case an application uses the same object identifiers as it uses internally, for example a UUIDv4 like 61e75133-efff-4281-8148-a1806919f568 or SHA-1 hash like 5c6f593a4e12970d647843f97846fd5ed18179eb.

Head over to the basic full feature example to see an example with some context.

Advanced example: using application information within Keto objects

Because the Keto client can use arbitrary strings as objects, it's tempting to encode application data within the object. We strongly discourage this practice. Instead, you should use a UUID to map application data to Keto objects. This is required to ensure:

  1. single source of truth and easy data update
  2. free choice of encoding (Keto doesn't allow the characters :#@)
  3. unlimited data size (Keto only allows up to 64 characters)

For example, this could be used to implement checks on value ranges. The application knows the following mapping of comparison conditions and UUIDs:

greater_than: 5

greater_than: 2
smaller_equal: 5

Keto has the following relation tuples:

// Members of the admins group are allowed to set a value v > 5

// Members of the devs group are allowed to set a value v: 2 < v <= 5

// Anyone who can set a value v > 5 can also set 2 < v <= 5

The application will have to translate an incoming "set value" request to the corresponding condition the value fulfills. It's important to understand that Ory Keto does not know how to interpret any of the information. Rather, the application has to preprocess and map the value to the corresponding UUID.